I'm working on building an android application which requires different levels of authentication, and I would like to do so using Active Directory.

From what I've read, using Kerberos is the way Microsoft suggests. How do I do this for Android? I see the javax.security.authdoc, but it doesn't tell me too much.

I also saw a note somewhere that Kerberos does not contain user groups - is this true? In that case, would I have to somehow combine LDAP as well?

EDIT

The main goal here is achieving an LDAP connection to the active directory in order to authenticate and give the user correct permissions for the enterprise Android application. The real barrier here is the fact that Google left out many of the Java Web Services API from it's port to android. (i.e. javax.naming) Also, many of the connection mechanisms in the Android jar seem to be only included as legacy code, and they in fact actually do nothing.

What exactly are you trying to accomplish? Are you trying to reach out from your android device to some external servers and use kerberos as an authentication mechanism? Or you are trying to log in users locally using their domain credentials? Also note that you will need to have an open connection from your android device to your domain controller. This means that if you want your authentication scheme to work over the air you have to open up port 88 to your domain controller to the entire world.
–
VladOct 25 '11 at 18:30

I'm trying to authenticate users and give them access to specific parts of the android application based on the group memberships they have in the Active Directory. I have found one way to do it, I think, but I haven't been able to test it just yet on the Android application.
–
Doctor OreoOct 26 '11 at 0:08

4 Answers
4

For that you might be better off just staying completely within LDAP and don't venture into the kerberos. Kerberos gives you advantage of Single Sign On, but since your android app doesn't have any credentials already in place it doesn't really help you. I guess google had their own reasons not to include the javax.naming into the distro. It is pretty heavy stuff.

You might be able to either port the stuff yourself from java runtime library sources, or might be better off using native LDAP library. For example this one.

Just remember to use secure LDAP connection or at least secure authentication method. More info about this is here.

I found the documentation here to be really useful when I was writing my code to authenticate with my Kerberos server. Here's how I authenticate with my kerberos server, but you might need to tweak it for yours (hence me including the link):